350 likes | 437 Views
SECURITY ARCHITECTURE FOR PREVENTING MALICIOUS ATTACKS IN SOFTWARE DEFINED NETWORK (SDN). O. OSUNADE and O. A. OKUNADE Department of Computer Science University of Ibadan, Nigeria Email: o.osunade@ui.edu.ng and okunadeoa@hotmail.com. Presentation Outline.
E N D
SECURITY ARCHITECTURE FOR PREVENTING MALICIOUS ATTACKS IN SOFTWARE DEFINED NETWORK (SDN) O. OSUNADE and O. A. OKUNADE Department of Computer Science University of Ibadan, Nigeria Email: o.osunade@ui.edu.ng and okunadeoa@hotmail.com
Presentation Outline Introduction/Background to the study Problem Statement Research Questions Aim and Objectives Related work Methodology Result Conclusion References 1/29/2019 2
Background to the study • Internet is a critical infrastructure for today’s world just like transportation and electricity. • Today’s network architecture has the network devices and middle boxes vertically integrated: • The hardware and software are provided by the same manufacturer • Network cannot be customized at will. • New software may not be installed because of incompatible hardware • Currently available software could not leverage all the hardware capabilities • Inability to have a global view of the network 1/29/2019 3
Introduction • Software Defined Network is a result of such necessities previously stated. • SDN is an example of “programmable networks” talks of network evolution. • The basic driving idea of SDN: decoupled of control plane from data plane, centralized controller & view of network, Programmability of network, interface between planes • Control Plane is all the logic that decides what is to be done and instructs the data (or forwarding) plane to implement the decision. • Control plane has the logic of controlling and forwarding network behavior like tracking topology changes, install forwarding rules, computing routes and so on 1/29/2019 4
Introduction (Cont’d.) • Data plane on the other hand forwards traffic based on rules as dictated by control plane logic . • Controller can see the status of all routes and switches quickly deciding the best route. • It helps in selecting the best egress point in an autonomous system for different flows. • It give room for horizontal integration in networking devices which allows for separate and independent growth of hardware and software. • It also allows rapid innovation of software because many new players can work on developing controller application as long as they have a well defined API to communicate with the hardware (Seungwon, Vinod, Phillip & Guofei 2013). 1/29/2019 5
Typical Application of SDN Figure 1: Software Defined Networking Architecture (Source: William, 2013). 1/29/2019 6
Problem Statement • Network resources change rapidly and management of Quality of Service (QoS) security becomes challenging Muhammad, Shyamala, Ali, and Bill, 2014). Network programmability and control logic centralization capabilities introduces new fault and attack planes, which open the doors for new threats that did not exist before or were harder to exploit Diego, Fernando, Ramos and Paulo(2013) and Phillip, Seungwon,Vinod, Martin, Mabry and Guofei (2012). • OpenFlow (OF) paradigm embraces third party development efforts, and therefore suffers from potential trust issue of OF applications (apps). The abuse of such trust could lead to various types of attacks impacting the entire network. 1/29/2019 7
Problem Statement (Cont’d.) • This can be seen as attractive honeypots for malicious users and a source of headaches for less prepared network operators. The ability to control the network by means of software (always subject to bugs and a score of other vulnerabilities). • Also centralization of the network intelligence in the controller(s) can make anyone with unlawful access to the servers (impersonation) potentially control the entire network unlawfully. 1/29/2019 8
Research Question • How can the Software-Defined Network be protected from malicious attack? Since potential security vulnerabilities exist across the SDN platform? • At the controller-application level, what mechanisms can be applied to control authentication and authorization while enabling multiple accesses to network resources and providing the appropriate protection of these resources? 1/29/2019 9
Aim This work aims to design a secured Software Design Network (SDN) Architecture with inbuilt authentication and authorization mechanisms that will enable multiple access to network resources while providing appropriate protection of these resources. 1/29/2019 10
Objectives • Designing of embedded Security control measure into OpenFlow flow table, controllable by (SDN) controller. • Extension of flow table with security white / black list column for packet source identification/authentication. • Using word hashing and Bayes’ theorem as content base packet filtering for source identification/authentication and as learning tool for white/black list update. • Comparison of the algorithm with other methods 1/29/2019 11
Related Work Yutaka, Hung-Hsuan and Kyoji (2013) proposed a novel network system architecture that protects network devices from intra-LAN attacks by dynamically isolating infected devices using OpenFlow on detection. Seungwon, Vinod, Phillip, and Guofei, (2013) has proposed an extension to the OpenFlow data plane called connection migration, which dramatically reduces the amount of data to-control-plane interactions that arise during the inherent communication bottleneck that arises between the data plane and the control plane, which an adversary could exploit by mounting a control plane saturation attack that disrupts network operations. 1/29/2019 12
Methodology To address this aforementioned problem: Architecture and security algorithms was introduced to prevent malicious attacks in Software Define Network (SDN) using white and black list combined with content based malicious filter for legitimacy confirmation of the users’ application The Algorithm has learning capability to update SDN architectures’ black /white list using word hashing and Bayes’ theorem as content base packet filtering update/feedback. 1/29/2019 13
Proposed Architecture Figure 1: Propose Secured Software Defined Networking Architecture (Source: Field work). 1/29/2019 14
Proposed SDN Security Transaction Process Data Flow 1/29/2019 15
Proposed SDN Security Transaction Process Flowchart 1/29/2019 16
Proposed SDN Security Transaction Process Algorithm 1/29/2019 17
Result Contn’d 1/29/2019 18
Result Contn’d Malicious Inbox 1/29/2019 19
Result Contn’d 1/29/2019 20
Result Contn’d 1/29/2019 21
Result Contn’d 1/29/2019 22
Result Contn’d 1/29/2019 23
Compare with other works 1/29/2019 24
Conclusion • As a proof of concept, it has been demonstrated and concluded from findings that algorithm combined source identification/authentication (using white/blacklist) and content based filtering (using word hashing and Bayes’ theorem) methods of malicious identification/authentication and packet classification, provides effective solution to legitimate / malicious mail grouping/identification and as such prevents malicious attack from accessing their targeted host in Software Defined Network. • The algorithm is efficient, effective and served the purpose for which it was designed 1/29/2019 25
Recommendation • This research work recommends: • combined methods of source identification/ authentication using white/ black list for malicious attack in Software Defined Network (SDN); and • combined word hashing and Bayes’ theorem for content filtering mechanisms and as a learning tool for list update 1/29/2019 26
Contribution • A Security control measure was introduced into OpenFlow flow table to prevent malicious attack in SDN. • Extension of flow table with security white / black list column for packet source identification /authentication. • Word hashing and Bayes’ theorem as content base packet filtering for source identification/ authentication and as a learning tool for white/black list update was introduced to SDN. 1/29/2019 27
References Apporva, S., Prayag V., Rohit, K., Shikha, M., and Rakesh K. J. (2015). A-Z installation Guideline for OpenFlow Simulation/Emulation Tool: Estinet8.1. International Journal of Computer Applications (0975–8887), International Conference on Recent Trends & Advancements in Engineering Technology (ICRTAET). Diego, K., Fernando, M. V., Ramos and Paulo, V. (2013). Towards Secure and Dependable Software-Defined Networks. HotSDN’13, August 16, 2013, Hong Kong, China. ACM 978-1- 4503-2178-5/13/08 Mark, R., Marco, C., Arjun, G. and Nate, F. (2013). FatTire: Declarative Fault Tolerance for Software-Defined Networks. HotSDN’13, August 16, 2013, Hong Kong, China. ACM 978-1-4503-2178-5/13/08 Muhammad H. R., Shyamala C. S., Ali N., Bill R., (2014). A Comparison of Software Defined Network (SDN) Implementation. 2nd International Workshop on Survivable and V. Robust Optical Networks (IWSRON).Published by Elsevier B. Procedia Computer Science 32 1050 –1055. Available online at www.sciencedirect.com Naous J. Erickson D., Covington G. A., Appenzeller G. and McKeown N. (2008). Implementing an OpenFlow Switch on the NetFPGA platform. ANCS ’08, San Jose, CA, USA. ACM 978-1- 60558- 346-4/08/0011 IETF Network Working Group . (n. d.). Security Requirements in the Software Defined Networking Model. https://datatracker.ietf.org/doc/ draft-hartman-sdnsec-requirements/ 1/29/2019 28
References (Cont’d.) Sakir, S., Sandra, S., Pushpinder, K. C., Barbara, F., David, L., Jim, F., Niel, V., Marc, M., and Navneet, R. (n. d.). Are we ready for SDN? - Implementation Challenges for Software- Defined Networks. Wolfgang, B. and Michael, M. (2014). Software-Defined Networking Using OpenFlow: Protocols, Applications and Architectural Design Choices. Future Internet 2014, 6, 302-336; ISSN 1999-5903. www.mdpi.com/journal/futureinternet Marco, C.,Daniele V., Peter, P., Dejan, K. and Jennifer, R.(n. d.). A NICE Way to Test OpenFlow Applications. https://www.usenix.org/system/files/conference/nsdi12/nsdi12- final105.pdf Seungwon, S., Vinod, Y., Phillip, P. and Guofei, G. (2013). AVANT-GUARD: S calable and Vigilant Switch Flow Management in Software-Defined Networks. CCS’13, Berlin, Germany. ACM 978-1-4503-2477-9/13/11. http://dx.doi.org/10.1145/2508859.2516684 . Yutaka J., Hung-Hsuan H. and Kyoji K. (2013). Dynamic Isolation of Network Devices Using OpenFlow for Keeping LAN Secure from Intra-LAN Attack. 17th International Conference in Knowledge Based and Intelligent Information and Engineering Systems - KES2013..Published by Elsevier B.V. Selection and peer-review under responsibility of KES International. ScienceDirect. 22 810 – 819 1877-0509. Available online at www.sciencedirect.com Naous J. Erickson D., Covington G. A., Appenzeller G. and McKeown N. (2008). Implementing an OpenFlow Switch on the NetFPGA platform. ANCS ’08, San Jose, CA, USA. ACM 978-1- 60558-346-4/08/0011 1/29/2019 29
Thanks for listening 1/29/2019 30